I am beginning to like Axiom the more I use it.
It's new but I believe that it has a future.
It is lacking a lot of features that exist in other tools and I would like to see brought into Axiom.
1. One feature is sorting the pictures by size, or any value. You can sort in list view but when you change to icon, or gallery view, the sorting is returned to whatever Axiom defaults to, and there is no way to resort.
2. another feature that I am trying to figure out as we speak, in their help file Axiom explains how to tell what devices (USB) have been plugged into a computer by s#, dates, times, etc, but apparently Axiom does not glean that information from the USB devices themselves.
So, I have several USB drives that I have no idea if they have a ser# and no way to tell if they were the devices plugged into this computer.
I haven't fully committed to purchasing Axiom yet, I still have a couple weeks, but I think they are responsive to requests and I think that it can replace a couple of other high priced tools that I want to rid my tool box of.
So, I have several USB drives that I have no idea if they have a ser# and no way to tell if they were the devices plugged into this computer.
Are they unusual devices? There are ways to figure out the serial number, but I don't want to patronise you by posting them if they aren't your straightforward USB sticks D
Ok, I apologize,
I need to rephrase my issue. All my "devices" are E01 images.
a complete physical image was created of the original device.
Is there anyway that the serial number would have been extracted from the E01.
FTK imager was used to do a physical copy.
1. One feature is sorting the pictures by size, or any value. You can sort in list view but when you change to icon, or gallery view, the sorting is returned to whatever Axiom defaults to, and there is no way to resort.
You can do this already. Go to thumbnail view, select Pictures, then right-click and sort by whatever value you want to sort on. Obviously it's easier when you can just click on the column but in thumbnail view, we added it as a right-click since there are no columns to represent the data in that view.
2. another feature that I am trying to figure out as we speak, in their help file Axiom explains how to tell what devices (USB) have been plugged into a computer by s#, dates, times, etc, but apparently Axiom does not glean that information from the USB devices themselves.
So for this, the info isn't normally stored on the actual devices, the Windows OS typically controls this info. Which is why we'll pull it from the installed OS. This is handled a little differently since I assume they're not bootable with an OS installed on them and just have one or more logical volumes on it. Not all USB mass storage devices actually have a physical serial number tied to it. Windows will try to use it if it's there, otherwise it will create it's own unique serial to identify different device connections.
You mentioned that you have images of the actual USB devices? Even if there are physical serial numbers associated to it, it's not always in the VBR (or MBR depending on the device) which is all your E01 image will have. You may need a separate tool to read the physical chip on the USB. I tend to use usbview.exe as a separate tool to read USB physical devices. It's free and worth a shot.
Hope that helps, feel free to reach out with any more questions or suggestions.
Jamie McQuaid
Magnet Forensics
You mentioned that you have images of the actual USB devices? Even if there are physical serial numbers associated to it, it's not always in the VBR (or MBR depending on the device) which is all your E01 image will have. You may need a separate tool to read the physical chip on the USB. I tend to use usbview.exe as a separate tool to read USB physical devices. It's free and worth a shot.
Yep, the serial is embedded in the controller, there are several tools that can read the serial, I would recommend the nice Nirsoft one
http//
though it is usually a good idea to also know the chip manufacturer and actual controller in the stick (or USB bridge) using more specilized tools *like* those listed here (Russian page, use Google Translate or similar)
http//
jaclaz
THanks guys, this is what I figured.
Since I will not be able to retrieve the actual thumbdrive, I will have to try to match up artifacts from the thumbdrive to one or more of the 30+ devices.. 😯
I read an article that states that the thumbdrive formatted in FAT32 may store a volume serial number at 0x042.
I may try to use that info and see if that will help.
Thanks Jamie for that advice on sorting.
I will try the right click tomorrow THat helps a lot.
Thanks for the thumbdrive info too..!
Thanks jalcaz,
It won't help on E01s but I will try some of those tools.
Thanks jalcaz,
It won't help on E01s but I will try some of those tools.
Use FTK Imager to reaquire into raw format.
With respect to Axiom it is a really easy to use tool. Like IEF its still worth having in the kit imho.
Qualifiers for easy is the pervasiveness of
*Searching results of tool
*Reporting based on Tags
*Many Formats for Reporting
*The metadata of all found artifacts makes the results easily reproducable
Hope this helps.
Future hopes for tool
*Identification of Track1/2 Data
*Identification of SSN/NSN